"You may already have this covered, but if not ... you might want to
allow for **non** username + password authentication. Things like
TypeKey, OpenID, and various single signon systems work using a vastly
different algo than username+password, and you may wish to take that
into account. PEAR Auth suffers from that problem; Solar_Auth and its
adapters I had to almost completely rewrite to allow for both kinds of
processing.)"